Analysis of network traffic

ABSTRACT

Embodiments generally disclosed herein include a computer-implemented method for monitoring and correlating network traffic data associated with a primary network that is in communication with a plurality of secondary networks. The method generates a network traffic data set by monitoring network traffic between the primary network and the plurality of secondary networks. The method also determines a mapping of network connectivity by monitoring inter-network routing information between the primary network and the plurality of secondary networks. In addition, the method generates a traffic measurement data set by monitoring network utilization statistics between the primary network and the plurality of secondary networks. With the collected data sets, the method then calculates a relational network mapping between the primary network and the plurality of secondary networks by correlating the network traffic data set, the mapping of network connectivity, and the traffic measurement data set.

RELATED APPLICATIONS

This application claims the benefit of commonly owned U.S. ProvisionalApplication No. 61/149,130, filed Feb. 2, 2009, entitled “Analysis ofNetwork Traffic,” which is incorporated by reference in its entirety forall purposes.

TECHNICAL FIELD

Embodiments presently disclosed generally relate to networkcommunications. More specifically, embodiments herein relate tomonitoring and correlating network traffic data associated with aprimary network that is in communication with a one or more secondarynetworks.

BACKGROUND OF THE INVENTION

Networks such as autonomous systems (ASs) are complex systems of devices(e.g., routers, switches, gateways, etc.) and various routing protocolsthat require constant monitoring and management to ensure efficientperformance for its users. Operators of networks often use conventionaltechniques for monitoring and managing these complex systems. One suchconventional technique is made possible by use of the Simple NetworkManagement Protocol (SNMP).

For example, SNMP processes, or agents, run on network devices (e.g.,routers, switches, etc.) and monitor network traffic information such asoctet strings, network addresses (e.g., Internet Protocol “IP”addresses), object identifiers, and the like. The agent processesperiodically report the monitored network traffic information back toone or more central or managing network devices via SNMP. There, themanaging network devices can aggregate and process network trafficinformation from several agent processes that gather and report networkdata from around the network.

SUMMARY OF THE INVENTION

Embodiments generally disclosed herein include a computer-implementedmethod and system for monitoring and correlating network traffic dataassociated with a primary network that is in communication with aplurality of secondary networks. The method comprises a networkcorrelator capable of generating a network traffic data set bymonitoring network traffic between the primary network and a pluralityof secondary networks (e.g., customer and peer networks). The networkcorrelator can further determine a mapping of network connectivity bymonitoring inter-network routing information between the primary networkand the plurality of secondary networks. In addition, the networkcorrelator can generate a traffic measurement data set by monitoringnetwork utilization statistics between the primary network and pluralityof secondary networks.

With this information, the network correlator is capable of calculatinga relational network mapping between the primary network and pluralityof secondary networks by correlating the network traffic data set, themapping of network connectivity and the traffic measurement data set.The relational network mapping may be displayed on a graphical userinterface in accordance with various configurable parameters.

BRIEF DESCRIPTION OF DRAWINGS

The foregoing and other objects, features and advantages of theinvention will be apparent from the following description of particularembodiments of the invention, as illustrated in the accompanyingdrawings in which like reference characters refer to the same partsthroughout the different views. The drawings are not necessarily toscale, emphasis instead being placed upon illustrating the principles ofthe invention.

FIG. 1 is a block diagram of a network environment for monitoring andcorrelating network traffic data in accordance with an exampleembodiment.

FIG. 2 is a block diagram of a network configuration for monitoring andcorrelator network traffic data in accordance with an exampleembodiment.

FIG. 3 is a block diagram of a network environment for monitoring andcorrelating network traffic data in accordance with an exampleembodiment.

FIGS. 4A-4C are graphical representations of various relational networkmapping configurations in accordance with an example embodiment.

FIG. 5 is a block diagram of a network environment for performing impactanalysis in accordance with an example embodiment.

FIG. 6 is a block diagram of a network environment for performing bypassanalysis in accordance with an example embodiment.

FIG. 7 is a block diagram of a computer system suitable for performingnetwork monitoring and data correlation in accordance with an exampleembodiment.

FIG. 8 is a flow chart that shows processing operations performed by anetwork correlator in accordance with an example embodiment.

FIG. 9 is a flow chart that shows processing operations performed by anetwork correlator in accordance with an example embodiment.

FIGS. 10 and 11 are flow charts that show processing operationsperformed by a network correlator in accordance with an exampleembodiment.

FIG. 12 is a flow chart that shows processing operations performed by anetwork correlator in accordance with an example embodiment.

FIGS. 13 and 14 are flow charts that show processing operationsperformed by a network correlator in accordance with an exampleembodiment.

Throughout the drawing figures, like reference numerals will beunderstood to refer to like parts and components.

DETAILED DESCRIPTION

Embodiments disclosed herein provide for improved methods and systemsfor monitoring and processing raw network data and creating ananalytical framework for evaluating network traffic statistics andbehavior. Such improvements will become apparent in the discussion ofthe embodiments and related figures below.

FIG. 1 is a block diagram of a network environment 100 including aprimary network 105 and multiple secondary networks. The secondarynetworks include customer network 110, customer network 115, peernetwork 120, and peer network 125. Network correlator 150 includesnetwork flow collector module 160, traffic measurement aggregator module170, and network mapping enrichment module 180. Relational networkmapping 190 is generated by network correlator 150. Note that a modulemay be implemented as hardware, software, or a combination of bothhardware and software.

Primary network 105 includes multiple ingress/egress routers incommunication with the various secondary networks. For example, edgerouter 130-1 of primary network 105 interfaces with edge router 140-1 ofcustomer network 110, edge router 130-2 of primary network 105interfaces with edge router 145-1 of customer network 115, edge router130-3 of primary network 105 interfaces with edge router 147-1 of peernetwork 120, and edge router 130-4 of primary network 105 interfaceswith edge router 149-1 of peer network 125. Note that edge routers130-1, 130-2, 130-3, and 130-4 can communicate with one another acrossprimary network 105 over multiple iterations and hops of others routerscontained within the primary network as indicated by the ellipses in thedouble arrowed lines.

Note that edge router 140-1 in customer network 110 can communicate withrouter 140-N via one or more router hops, wherein router 140-N mayinterface with another network, gateway, end user, etc. Similarly, edgerouter 145-1 in customer network 115 can communicate with router 145-Nvia one or more router hops, wherein router 145-N may interface withanother network, gateway, end user, etc. Edge router 147-1 in peernetwork 120 can communicate with router 147-N via one or more routerhops, wherein router 147-N may interface with another network, gateway,end user, etc. Additionally, edge router 149-1 in peer network 125 cancommunicate with router 149-N via one or more router hops, whereinrouter 149-N may interface with another network, gateway, end user, etc.

Although only two customer networks and two peer networks are shown inthe example embodiment of FIG. 1, more (or fewer) customer and/or peernetworks may directly interface with the primary network 105 forpurposes of describing the disclosed embodiments.

During general operation, the network correlator 150 monitors andgathers information from the primary network's 105 interaction with thesecondary networks. Each module of the network correlator 150 monitorsand collects various network data and statistics in order for thenetwork correlator 150 to generate the relational network mapping 190.The relational network mapping 190 can then be represented in aconfigurable graphical interface for a user (e.g., network operator) toevaluate network behavior and traffic patterns of the primary network105 with respect to network traffic transceived between (i.e., sent toand received by) the secondary networks. With its robust configurabilityand integration of rich network data, the relational network mapping 190can provide valuable insight into previously unrealized businessopportunities and network operating strategies. These advantages willbecome apparent during the discussion of the embodiments and relatedfigures below.

In embodiments disclosed herein, it should be noted that the networkcorrelator 150 (and related modules) can, for example, generate therelational network mapping 190 with network data and statistics suppliedonly by the primary network 105—although not required for implementationof network correlator 150. In other words, the network correlator 150need not directly receive or extract network data from other networks(i.e., secondary networks) to generate the relational network mapping190.

It should also be noted that, although shown as part of the networkcorrelator 150, each module (i.e., network flow collector 160, trafficmeasurement aggregator module 170, and network mapping enrichment module180) can operate independently of the network correlator 150 as adifferent process executing on the same or separate devices (e.g.,routers, servers, PCs, etc.). The modules in FIG. 1 are shown as part ofthe network correlator 150 module/process for purposes of example only.

Note that the primary network is designated as “primary” since it is thenetwork being analyzed by the network correlator. Any other network forthat matter may also be scrutinized by the network correlator to providesimilar statistical and behavioral analysis (e.g., relational networkmapping) in accordance with embodiments disclosed herein.

FIG. 2 is a block diagram of a network processing environment 200including a primary network 205 and network correlator 150. The primarynetwork supplies information to the network correlator 150 by way ofrouter interfaces 210, Simple Network Management Protocol (SNMP)counters 220, and Border Gateway Protocol (BGP) tables 230. Similar toFIG. 1, network correlator 150 includes network flow collector module160, traffic measurement aggregator module 170, and network mappingenrichment module 180. The network flow collector module 160 provides anetwork traffic data set 260, the traffic measurement aggregator moduleprovides a traffic measurement data set 270, and the network mappingenrichment module 180 provides a mapping of network connectivity 280.

During general operation, the network correlator 150 processes andcorrelates the network traffic data set 260, traffic measurement dataset 270, and mapping of network connectivity 280 to generate therelational network mapping 190. Stated differently, the networkcorrelator 150 is said to enrich the network traffic data set 260 withthe traffic measurement data set 270 and mapping of network connectivity280 in order to create the relational network mapping 190, according toan example embodiment.

Generally, the network flow collector module 160 collects network dataand statistics to provide information (via network traffic data set 260)related to the identity of who sends and receives network traffic at aparticular router interface 210 (e.g., ingress router) in the primarynetwork 205. In particular, this information can include, for example, arouter identifier, an interface identifier for that particular router(assuming multiple network interfaces per router), an origin AutonomousSystem (AS) number, a destination AS number, etc. Such information canalso include an estimation or approximation of the amount or rate oftraffic transceived at that particular ingress interface.

In the same vein, the traffic measurement aggregator module 170 collectsnetwork data and statistics to provide information (via trafficmeasurement data set 270) related to an amount (or rate) of datatransceived at a particular router interface 210 of the primary network205. This measurement of the amount (or rate) of network traffic made bythe traffic measurement aggregator module 170 is much more accurate thanthe traffic measurement provided by the network flow collector module160. However, the traffic measurement aggregator module 170 does notknow from where the network traffic was received, or to where thenetwork traffic was sent, at the router interface 210. In other words,the traffic measurement aggregator module 170 determines an amount (orrate) of network traffic sent to or received at an ingress routerinterface 210, but generally does not know who sent or who received thisnetwork traffic.

For example, assume that the network flow collector module 160 detects,during a given time period, that a particular router interface 210receives about 3 megabits per second (Mbps) of network traffic fromcustomer network A that is being transmitted to customer network B.Further assume that the network flow collector module 160 detects thatthe particular router interface 210 receives about 6 Mbps of networktraffic from customer A that is being transmitted to customer C, as wellas an additional 9 Mbps of network received that is being transmitted tocustomer D. In total, the network flow collector module 160 detectsapproximately 18 Mbps of network traffic received from customer A (andintended for customers B, C and D) at the particular router interface210 during the given time period. This information is reflected in thenetwork traffic data set 260.

Next, assume that the traffic measurement aggregator module 170 detects,for the given time period, that the particular router interface 210receives a total of 24 Mbps of network traffic from customer A—althoughnot knowing to where the 24 Mbps of network traffic is sent. Thisinformation is reflected in the traffic measurement data set 270 (e.g.,router interface 210 received network traffic at a rate of 24 Mbps fromcustomer A during a 5 minute sampling interval).

In continuing with the above example, the network correlator 150 wouldprocess and correlate the network traffic data set 260 and trafficmeasurement data set 270 to yield a more accurate (and normalized)representation of network traffic received at the particular routerinterface 210 during the given time period. As such, the trafficmeasurement data set 270 normalizes the traffic measurements made by thenetwork flow collector module 160 over the given time period (e.g., 5minutes) to provide a more precise measurement and assessment of networktraffic flow associated with the particular router interface 210. Forthis example, the network traffic from customer A being sent to customerB would be normalized to 4 Mbps, the network traffic from customer Abeing sent to for customer C would be normalized to 8 Mbps, and thenetwork traffic from customer A being sent to customer D would benormalized to 12 Mbps—thus yielding a total of 24 Mbps, the sameamount/rate of network traffic detected by the traffic measurementaggregator module 170 as represented in the traffic measurement data set270. Note that this is only one example aspect of how the networkcorrelator 150 processes data and does not yet include furtherenrichment techniques using the mapping of network connectivity 280, aswill be discussed further below.

According to another example embodiment, the traffic measurementaggregator module 170 monitors and collects network traffic amounts andrates using SNMP counters 220 and SNMP messaging. The SNMP counters 220typically normalize network traffic data (e.g., packet octets) inaccordance with a predetermined sampling rate (e.g., 5 minutes).Normalization can be determined by measuring an amount of datatransceived over a router interface 210 during a given sampling periodagainst the associated data rate of network traffic transceived over therouter interface 210 during the given sampling period. In one exampleembodiment, the SNMP counters 220 communicate with the networkcorrelator 150 via SNMP messages/messaging.

Still referring to the example embodiment of FIG. 2, the network mappingenrichment module 180 monitors and collects information from BGP tablesassociated with the primary network's 205 connectivity relationshipswith its secondary networks. For example, BGP information and tables canbe obtained from third party vendors that gather and distribute suchcollections of data. The BGP tables can include, for example, routingtables that are advertised by secondary networks. The routing tableshave connectivity information (e.g., IP addresses, AS paths, etc.) thatprovide which destinations are reachable from a particular ingressrouter in a secondary network that interfaces with an egress router inthe primary network 205. Furthermore, the BGP tables associated with thevarious secondary networks can be localized into one or more aggregatedBGP tables within the primary network, thus providing a more global andcomplete view of the primary network's connectivity with its secondarynetworks. In particular, and as will be discussed in more detail below,the mapping of network connectivity 280 provides egress AS numbersassociated with network traffic. With egress AS numbers, it can bedetermined to which secondary network (i.e., directly interfacednetwork) the traffic is being sent (via an egress router interface ofthe primary network 205).

As shown in the example embodiment of FIG. 2, the network correlator 150processes and correlates the network traffic data set 260, the trafficmeasurement data set 270, and mapping of network connectivity 280 togenerate the relational network mapping 190.

The network traffic data set 260, traffic measurement data set 270, andmapping of network connectivity 280 are discussed in more detail belowwith respect to FIG. 3.

FIG. 3 Is a block diagram of an example network configuration 300including a primary network 305 having AS number AS5, network 310 havingAS number AS1, network 320 having AS number AS2, network 330 having ASnumber AS3, and network 340 having AS number AS4. Note that the ellipsesbetween network 320 and network 310, and between network 330 and network340, indicate that one or more networks may reside between thoserespective networks.

The example embodiment of FIG. 3 depicts router 350 in network 310sending network traffic (e.g., originating from a server or otherend-user device) to router 360 in network 340 (as indicated by traffictraversal line 302). Note that the network traffic traverses network320, primary network 305, and network 330 during its journey to router360 in network 340 (e.g., so that router 360 may ultimately route thetraffic to an end-user device). Further note that the network trafficsent by router 350 passes through ingress router interface 370 andegress router interface 375 of primary network 305.

Given this example data transmission 302, the network flow collectormodule 160 collects network data and statistics to create networktraffic data set 260 having information such as, for example, origin IPaddress of router 350, destination IP address of router 360, origin ASof network 310 (AS1), destination AS of network 340 (AS4), ingress AS ofnetwork 320 (AS2), etc. The network traffic data set 260 can alsoinclude an approximated amount and/or rate of network traffic associatedwith the data transmission at the ingress router interface 370.

Furthermore, the traffic measurement aggregator module 170 collectsnetwork data and statistics to create traffic measurement data set 270.As previously discussed, the traffic measurement aggregator module 170normalizes network traffic amounts and/or rates transceived at aparticular ingress interface (e.g., ingress interface 370 in thisexample) during a given sampling period. The traffic measurement dataset 270 can be used to provide a more accurate representation of theamount (or rate) of data transmitted through the primary network 305.

Referring still to FIG. 3, the network mapping enrichment module 180collects data and statistics to create the mapping of networkconnectivity 280. For the example data transmission between router 350and router 360, the mapping of network connectivity 280 can includeinformation such as, for example, AS path (e.g., AS1, . . . , AS2, AS5,AS3, . . . , AS4), egress AS of network 330 (AS3), destination AS ofnetwork 340 (AS4), etc. In one example, the egress AS of network 330(AS3) can be ascertained by determining that network traffic passesthrough egress router interface 375 of the primary network 305 and,then, using this information to find an associated egress AS in a BGPtable that was advertised to egress router interface 375 by network 330.

In another example embodiment, the network correlator 150 (e.g., vianetwork flow collector module 160) can use network data (e.g., routerinterface identifier, AS number, etc.) to determine the “to whom” and“from whom” of a data transmission. For example, the network correlator(or other process) can perform a table lookup in a customer databaseusing a router interface identifier (or, for example, an IP address,router device identifier, etc.) to determine from which customer networkor peer network the transmission is being sent. Similarly, such networkdata can be used for geo-location purposes to determine a geographiclocation or proximity of a sender/receiver of the data transmission(e.g., associated with an origination and/or destination IP address).For example, the IP address of the sender/receiver of network trafficcan be used to perform a table look-up in a database that containsgeo-location information. Such information can be useful to determinemore specific geographic spans of a primary network that are utilizedduring various data transmissions between secondary networks.

FIGS. 4A-4C depict example graphical representations of the relationalnetwork mapping 190. In one example embodiment, the network correlator150 displays one or more of these graphical representations in agraphical user interface.

The relational network mapping 190 may be configured according tonetwork parameters in order to show a more detailed perspective oftraffic behavior in a primary network. The configurability of suchparameters is made possible, at least in part, by the monitoring andcorrelation of the various network data and statistics provided by themodules disclosed herein.

For example, the relational network mapping 190 may be configuredaccording to a region parameter. The region parameters can narrow thedisplay of the network traffic to various regions supported by thenetwork. Using such data as, for example, origination AS, destinationAS, ingress AS, egress AS, etc., the relational network mapping can beselectively configured to only show network traffic transceived over aparticular region (e.g., United States, Europe, East Coast, etc.).

FIG. 4A shows two example pie charts that depict a manifestation of therelational network mapping 190 as configured according to the regionparameter. The pie chart on the left shows a breakdown of networktraffic sent from Customer 1 over Region 1 (e.g., United States) of theprimary network during a given time period (e.g., one month). That is,customer C2, customer C4, peer P3, and peer P6 each received aproportion of total network traffic from Customer 1 over Region 1 of theprimary network for a given time period as represented by the proportionof each slice of the pie.

Similarly, the pie chart on the right in FIG. 4A shows an examplebreakdown of network traffic received by Customer 1 over Region 2 (e.g.,Europe) of the primary network during a given time period (e.g., onemonth). That is, customer C1, customer C5, and peer P2 each sent aproportion of total network traffic to Customer 1 over Region 2 of theprimary network for a given time period as represented by the proportionof each slice of the pie.

In another example embodiment, the relational network mapping 190 may beconfigured according to a traffic type parameter. The traffic typeparameter can narrow the display of the network traffic to varioustraffic types supported by the network. Using such data as, for example,an ingress AS, a network interface identifier, etc., the relationalnetwork mapping 190 can be selectively configured to show networktraffic transceived according to a particular traffic type (e.g.,on-net, off-net, etc.). Generally, on-net is traffic that remainsexclusively on the primary network or a customer network. Off-nettraffic, on the other hand, is traffic that ingresses or egresses to apeer network.

FIG. 4B shows two example pie charts that depict a manifestation of therelational network mapping 190 as configured according to the traffictype parameter. The pie chart on the left shows a breakdown of on-netnetwork traffic sent by Customer 1 over the primary network during agiven time period (e.g., one week). That is, customer C2, customer C3,customer C5, customer C7, and customer C9 each received a proportion oftotal network traffic from Customer 1 over the primary network for agiven time period as represented by the proportion of each slice of thepie. Note that since the parameter is configured as “on-net,” onlycustomer networks of the primary network are shown in the pie chart,according to this example embodiment.

Similarly, the pie chart on the right in FIG. 4B shows an examplebreakdown of off-net network traffic received by Customer 1 over theprimary network during a given time period (e.g., one week). That is,peer P3, peer P4, peer P6, and peer P8 each sent a proportion of totalnetwork traffic to Customer 1 over the primary network for a given timeperiod as represented by the proportion of each slice of the pie. Notethat since the parameter is configured as “off-net” in FIG. 4B, onlypeer networks of the primary network are shown in the pie chart,according to this example embodiment.

According to another example embodiment, the relational network mapping190 may be configured according to a transmission parameter. Thetransmission parameter can narrow the display of the network traffic tovarious transmission types supported by the network. Using such data as,for example, origination AS, destination AS, ingress AS, egress AS,etc., the relational network mapping 190 can be selectively configuredto show network traffic transceived according to a transmission type(e.g., backbone, long-haul, local, etc.).

FIG. 4C shows two example pie charts that depict a manifestation of therelational network mapping 190 as configured according to thetransmission parameter. The pie chart on the left shows a breakdown ofnetwork traffic sent by Customer 1 over the backbone of the primarynetwork during a given time period (e.g., one month). That is, customerC3, customer C4, peer P2, and peer P5 each received a proportion oftotal network traffic from Customer 1 over the backbone of the primarynetwork for a given time period as represented by the proportion of eachslice of the pie.

Similarly, the example pie chart on the right in FIG. 4C shows abreakdown of network traffic received by Customer 1 over the localtransmission portion of the primary network during a given time period(e.g., one month). That is, customer C5, customer C7, and peer P3 eachsent a proportion of total network traffic to Customer 1 over the localtransmission portion of the primary network for a given time period asrepresented by the proportion of each slice of the pie.

Note that each of the parameters (i.e., region, traffic type andtransmission) may be configured simultaneously or in variouscombinations in order to further tailor the representation of therelational network mapping 190. Such robust configurability provides asignificant improvement for analyzing network operational statistics inthat a network's behavior can be evaluated from varying and uniqueperspectives at the same time.

For example, the relational network mapping 190 can be configuredaccording to Region 1, On-net traffic, and Backbone traffic for networktraffic transceived over the primary network by a particular customer orpeer network. Furthermore, the relational network mapping 190 can beconfigured to show either network traffic received from or sent to aparticular customer or peer network over the primary network in additionto one or more configurable combinations of the previously describedparameters.

It should also be noted that the parameters (i.e., region, traffic typeand transmission) described in these example embodiments do notrepresent an exhaustive list and, as such, other configurable parameterssuitable for representing statistical data of network traffic flow andbehavior may also be implemented in furtherance of configuring therelational network mapping 190.

It should be further noted that the pie charts in FIGS. 4A-4C are usedfor purposes of example only. Certainly, other commonly known methodsfor representing statistical data (e.g., line graphs, bar graphs, Venndiagrams, etc.) may be used to graphically display the relationalnetwork mapping and its various configurations, and such methods andtechniques are contemplated to be within the scope of the presentembodiments.

FIG. 5 is a block diagram of a network environment 500 that depicts anexample scenario for performing impact analysis in accordance withembodiments herein. Primary network 505 directly interfaces withcustomer network 510 and customer network 540. Customer network 510, inturn, is in communication—either directly or indirectly—with network520, network 530, and network 540.

In general, impact analysis performed by the network correlator 150 (andmanifested by the relational network mapping 190) can be useful todetermine the business impact of discontinuing connectivity with adirectly interfaced network (e.g., customer network 510 or any othercustomer or peer network not shown). Referring to the exampleconfiguration in FIG. 5, primary network 505 can reach (or is inindirect communication with) network 520, network 530 and network 540via customer network 510. However, since primary network 505 only hasconnectivity with network 520 and network 530 via customer network 510,the primary network would lose connectivity to network 520 and network530 if connectivity with customer network 510 were to be discontinued.Nonetheless, since primary network 505 is already communicably coupled(even if indirectly) with network 540, primary network 505 would notlose connectivity with network 540 if it were to discontinueconnectivity with customer network 510.

In one example embodiment, the network correlator 150 (as manifested bythe relational network mapping 190) can provide such an impact analysisby determining which AS numbers (and thus which networks) are reachablevia customer network 510. The network correlator 150 could then comparethese AS numbers with a set of all AS numbers reachable by the primarynetwork 505 that do not connect through customer network 510. Then,those AS numbers that do not overlap in the compared groups of ASnumbers would represent networks that are only reachable throughcustomer network 510. In other words, primary network 505 would loseconnectivity with those AS numbers that do not overlap (and that areonly reachable through customer network 510) if the primary network 505would discontinue/terminate/etc. connectivity with customer network 510.As a result, business decisions can be encouraged or dissuaded dependingon the overall impact of discontinuing connectivity with a particularcustomer or peer network.

Note that the network correlator 150 can use other techniques and/orparameters for performing an impact analysis and that the embodiment(s)of FIG. 5 have been described for purposes of example only.

Further, and in accordance with the present embodiments, the relationalnetwork mapping 190 can be selectively configured to process and displayresults of an impact analysis on a graphical user interface. Forexample, the relational network mapping 190 can provide (and displayupon a graphical user interface) an impact analysis related todisconnecting a directly interfaced network and any resultant networks(or AS numbers) that would become unreachable by the primary network 505as a result. Similarly, in addition to, or in lieu of, the relationalnetwork mapping 190, information provided by one or more of the networktraffic data set 260, traffic measurement data set 270, and/or mappingof network connectivity 280 can be utilized to perform an impactanalysis as described above.

FIG. 6 is a block diagram of a network environment 600 that depicts anexample scenario for performing bypass detection in accordance withembodiments herein. Primary network 605 directly interfaces withcustomer network 610 (having AS number AS1), peer network 620 (having ASnumber AS2), and customer network 630 (having AS number AS3). In thisexample embodiment, router 640 in customer network 610 transceivesnetwork traffic with router 650 in customer network 630 (as indicated bytraffic traversal line 660). It should be noted that the network trafficdoes not flow directly from customer network 610 to primary network 605and, instead, flows indirectly through peer network 620. In other words,peer network 620 is an intermediary network between primary network 605and customer network 610 (at least for some network traffic, i.e., asindicated by traffic traversal line 660), even though primary network605 directly interfaces with customer network 610. Further note that,generally, traffic originates/terminates from/at other end-user devices(not shown) and does not originate/terminate from/at routers 640 and650.

In general, bypass detection performed by the network correlator 150(and manifested by relational network mapping 190) can be useful todetermine potential unrealized business opportunities with respect tothe operation of the primary network 605. Referring to the exampleconfiguration in FIG. 6, since the customer network 610 does notnecessarily have to transceive network traffic with the peer network 620in order to reach customer network 630, proprietors/operators/etc. ofthe primary network 605 can solicit business (a new or additionalconnectivity relationship) directly from the customer network 610. Thisis advantageous for the proprietors/operators/etc. of the primarynetwork 605 since they do not generate any revenue (or negligiblerevenue) in a traditional peering relationship—such is the case in theexample embodiment of FIG. 6 where primary network 605 does not receiveany revenue (at least from customer network 610) for transceivingnetwork traffic 660 since primary network 605 interfaces with peernetwork 620 (instead of customer network 610) for at least the purposesof performing transmission of network traffic 660. Thus, by directlyconnecting with the customer network 610 with respect to network traffic660 and, consequently, bypassing connectivity via peer network 620, theprimary network 605 is capable of generating additional revenue andrealizing previously undetected business opportunities. This directconnectivity relationship is exemplified by traffic traversal line 665in FIG. 6—note that peer network 620 is no longer a part of the networktraffic traversal path 665 between primary network 605 and customernetwork 610.

According to an example embodiment, the network correlator 150 can usethe mapping of network connectivity 280 to compare an origin AS (ordestination AS) of a network transmission, such as network traffic 660,with ingress or egress AS numbers already associated with the primarynetwork 605 and its directly interfaced networks. If it determined thatthe origin AS (or destination AS) of the network transmission is thesame as an ingress or egress AS associated with the primary network 605,and that there is one or more AS numbers in the AS path between theorigin or destination AS and the primary network, then the networkcorrelator 150 has detected a potential bypass opportunity, i.e., bybypassing the one or more AS numbers in the AS path between the originor destination AS and the primary network.

Note that the network correlator 150 can use other techniques and/orparameters for performing bypass detection and that the embodiment(s) ofFIG. 5 have been described for purposes of example only.

Further, and in accordance with the present embodiments, the relationalnetwork mapping 190 can be selectively configured to process and displayresults of a bypass detection analysis on a graphical user interface.For example, the relational network mapping 190 can provide informationrelated to a directly interfaced customer network that transceives atleast some of its network traffic indirectly through another (typicallypeer) network that is also directly interfaced with the primary network605. In this example, the graphical display would show the potential newcustomer network as well as the potential peer network that the primarynetwork 605 could bypass.

FIG. 7 is a schematic diagram of a computer system 700 upon whichembodiments of the present invention may be carried out and implemented.For example, one or more computing devices 700 (e.g., servers, routers,gateways, etc.) may be used to monitor and correlate network trafficdata and statistics for a primary network (e.g., primary network 790)and related secondary networks.

According to the present example, the computer system 700 includes a bus701 (i.e., interconnect), at least one processor 702, at least onecommunications port 703, a main memory 704, a removable storage media705, a read-only memory 706, and a mass storage 707. Processor(s) 702can be any known processor, such as, but not limited to, an Intel®Itanium® or Itanium 2® processor(s), AMD® Opteron® or Athlon MP®processor(s), or Motorola® lines of processors. Communications ports 703can be any of an RS-232 port for use with a modem based dial-upconnection, a 10/100 Ethernet port, a Gigabit port using copper orfiber, or a USB port. Communications port(s) 703 may be chosen dependingon a network such as a Local Area Network (LAN), a Wide Area Network(WAN), or any network to which the computer system 700 connects (e.g.,primary network 790). The computer system 700 may be in communicationwith peripheral devices (e.g., display screen 730, input device 716) viaInput/Output (I/O) port 709.

Main memory 704 can be Random Access Memory (RAM), or any other dynamicstorage device(s) commonly known in the art. Read-only memory 706 can beany static storage device(s) such as Programmable Read-Only Memory(PROM) chips for storing static information such as instructions forprocessor 702. Mass storage 707 can be used to store information andinstructions. For example, hard disks such as the Adaptec® family ofSmall Computer Serial Interface (SCSI) drives, an optical disc, an arrayof disks such as Redundant Array of Independent Disks (RAID), such asthe Adaptec® family of RAID drives, or any other mass storage devicesmay be used.

Bus 701 communicatively couples processor(s) 702 with the other memory,storage and communications blocks. Bus 701 can be a PCI/PCI-X, SCSI, orUniversal Serial Bus (USB) based system bus (or other) depending on thestorage devices used. Removable storage media 705 can be any kind ofexternal hard-drives, floppy drives, IOMEGA® Zip Drives, CompactDisc-Read Only Memory (CD-ROM), Compact Disc-Re-Writable (CD-RW),Digital Video Disk-Read Only Memory (DVD-ROM), etc.

Embodiments herein may be provided as a computer program product, whichmay include a machine-readable medium having stored thereoninstructions, which may be used to program a computer (or otherelectronic devices) to perform a process. The machine-readable mediummay include, but is not limited to, floppy diskettes, optical discs,CD-ROMs, magneto-optical disks, ROMs, RAMs, erasable programmableread-only memories (EPROMs), electrically erasable programmableread-only memories (EEPROMs), magnetic or optical cards, flash memory,or other type of media/machine-readable medium suitable for storingelectronic instructions. Moreover, embodiments herein may also bedownloaded as a computer program product, wherein the program may betransferred from a remote computer to a requesting computer by way ofdata signals embodied in a carrier wave or other propagation medium viaa communication link (e.g., modem or network connection).

As shown, main memory 704 is encoded with network correlator application150-1 that supports functionality as discussed above and as discussedfurther below. Network correlator application 150-1 (and/or otherresources as described herein) can be embodied as software code such asdata and/or logic instructions (e.g., code stored in the memory or onanother computer readable medium such as a disk) that supportsprocessing functionality according to different embodiments describedherein. During operation of one embodiment, processor(s) 702 accessesmain memory 704 via the use of bus 701 in order to launch, run, execute,interpret or otherwise perform the logic instructions of the networkcorrelator application 150-1. Execution of network correlatorapplication 150-1 produces processing functionality in networkcorrelator process 150-2. In other words, the network correlator process150-2 represents one or more portions of the network correlatorapplication 150-1 performing within or upon the processor(s) 702 in thecomputer system 700.

It should be noted that, in addition to the network correlator process150-2 that carries out method operations as discussed herein, otherembodiments herein include the network correlator application 150-1itself (i.e., the un-executed or non-performing logic instructionsand/or data). The network correlator application 150-1 may be stored ona computer readable medium (e.g., a repository) such as a floppy disk,hard disk or in an optical medium. According to other embodiments, thenetwork correlator application 150-1 can also be stored in a memory typesystem such as in firmware, read only memory (ROM), or, as in thisexample, as executable code within the main memory 704 (e.g., withinRandom Access Memory or RAM). For example, network correlatorapplication 150-1 may also be stored in removable storage media 705,read-only memory 706, and/or mass storage device 707.

In addition to these embodiments, it should also be noted that otherembodiments herein include the execution of the network correlatorapplication 150-1 in processor(s) 702 as the network correlator process150-2. Thus, those skilled in the art will understand that the computersystem 700 can include other processes and/or software and hardwarecomponents, such as an operating system that controls allocation and useof hardware resources, or such as instances of the network flowcollector module 160, the traffic measurement aggregator module 170and/or the network mapping enrichment module 180. As such, the networkcorrelator 150 (application 150-1 and process 150-2), network flowcollector module 160 (application 160-1 and process 160-2), trafficmeasurement aggregator module 170 (application 170-1 and process 170-2),and network mapping enrichment module 180 (application 180-1 and process180-2) may be implemented on the same computerized device 700 (e.g.,router, server, etc.) as the same or separately executed processes, oron separate devices in various combinations as the same or separatelyexecuted processes.

As discussed herein, embodiments of the present invention includevarious steps or operations. A variety of these steps may be performedby hardware components or may be embodied in machine-executableinstructions, which may be used to cause a general-purpose orspecial-purpose processor programmed with the instructions to performthe operations. Alternatively, the steps may be performed by acombination of hardware, software, and/or firmware.

FIGS. 8-14 include flowcharts according to embodiments herein. Therectangular elements are herein denoted as “steps” and representcomputer software instructions or groups of instructions that carry outsuch functions. The flow diagrams do not necessarily depict the syntaxof any particular programming language. Rather, the flow diagramsillustrate the functional information one of ordinary skill in the artcould use to fabricate circuits or to generate computer software (or ahybrid of both circuits and software code) to carry out the features asdescribed herein.

It should be noted that many routine program elements, such asinitialization of loops and variables and the use of temporary variablesare inherent in the flowcharts. It will be appreciated by those ofordinary skill in the art that unless otherwise indicated herein, theparticular sequence of steps described is illustrative only and can bevaried without departing from the spirit of the invention. Thus, unlessotherwise stated the steps described below are unordered meaning that,when possible, the steps can be performed in any convenient or desirableorder.

Now, more specifically, FIG. 8 is a flow chart 800 of processing stepsthat shows processing operations performed by the network correlator 150(i.e., network correlator application 150-1 and/or the run-timeimplementation of network correlator process 150-2) in accordance withone example embodiment.

In step 805, the network correlator 150 generates a network traffic dataset by monitoring network traffic between a primary network and aplurality of secondary networks. In one example embodiment, theplurality of secondary networks include at least one customer network ofthe primary network and at least one peer network of the primarynetwork.

In step 810, the network correlator 150 determines a mapping of networkconnectivity by monitoring inter-network routing information between theprimary network and the plurality of secondary networks. The mapping ofnetwork connectivity can include, for example, BGP data such as AS pathsand egress AS numbers.

In step 815, the network correlator 150 calculates a relational networkmapping between the primary network and the plurality of secondarynetworks by correlating the network traffic data set and (or with) themapping of network connectivity.

FIG. 9 is a flow chart 900 of processing steps that shows processingoperations performed by the network correlator 150 in accordance withone example embodiment.

In step 905, the network correlator 150 generates a network traffic dataset. The network traffic data set can include, for example, origin ASnumber, destination AS number, origin IP address, destination IPaddress, ingress AS number, etc.

In step 910, the network correlator 150 identifies on-net traffic of theprimary network by determining which network traffic is transceivedbetween the primary network and at least one customer network of theprimary network. In other words, on-net traffic is typically defined astraffic that remains exclusively on the primary network or a customernetwork.

In step 915, the network correlator 150 identifies off-net traffic ofthe primary network by determining which network traffic is transceivedbetween primary network and at least one peer network of the primarynetwork. In other words, off-net traffic is typically defined as trafficthat ingresses or egresses to a peer network.

According to an example embodiment, the network correlator 150 collectsnetwork traffic data in accordance with a sampling rate (e.g., networktraffic transceived during a given 5 minute interval). The networkcorrelator 150 can then identify on-net or off-net traffic of theprimary network by determining, for each sampled transmission of networktraffic, at least one of an originating Autonomous System Number (ASN),a destination ASN, an ingress ASN, and/or an egress ASN.

In step 920, the network correlator 150 generates a measurement data setby monitoring network utilization statistics between the primary networkand the plurality of secondary networks.

In one example embodiment, the network correlator 150 monitors networkutilization statistics to determine an amount (or rate) of networktraffic that is transceived between the primary network and at least onecustomer network. Similarly, the network correlator 150 can monitornetwork utilization statistics to determine an amount of network trafficthat is transceived between the primary network and at least one peernetwork. For example, monitoring network utilization statistics caninclude aggregating sampled network data from one or more Simple NetworkManagement Protocol (SNMP) counters that are distributed throughout thenetwork at various network nodes (i.e., routers, gateways, etc.).Generally, the SNMP counters monitor and normalize network traffictransceived at a particular ingress or egress interface in the primarynetwork.

In step 925, the network correlator 150 determines a mapping of networkconnectivity (e.g., BGP tables and associated data).

In step 930, the network correlator 150 determines connectivityrelationships between edge routers in the primary network and edgerouters in the at least one customer network. For example, the networkcorrelator 150 can monitor advertised routing tables (via BGP) providedby an edge router in a customer network and supplied to an egress routerin the primary network.

In step 935, the network correlator 150 determines connectivityrelationships between edge routers in the primary network and edgerouters in the at least one peer network. Similar to the example above,the network correlator 150 can determine advertised routing tables (viaBGP) provided by an edge router in a peer network and supplied to anegress router in the primary network.

In step 940, the network correlator 150 calculates a relational networkmapping 190 between the primary network and the plurality of secondarynetworks.

In step 945, the network correlator 150 correlates the network trafficdata set, the mapping of network connectivity and the trafficmeasurement data set. For example, the network data set and trafficmeasurement data set may be correlated first to yield an aggregateand/or normalized network data set. In this example, the aggregateand/or normalized network data set would then be correlated with themapping of network connectivity to yield the relational network mapping190.

FIGS. 10 and 11 are flow charts 1000-1 and 1000-2, respectively,depicting processing steps that show processing operations performed bythe network correlator 150 in accordance with one example embodiment.

In step 1005, the network correlator 150 calculates a relational networkmapping 190 between the primary network and the plurality of secondarynetworks.

In step 1010, the network correlator 150 determines an amount of networktraffic transceived between the primary network and at least onecustomer network during a given time period.

In step 1015, the network correlator 150, for the given time period,determines an amount of network traffic transceived between the primarynetwork and at least one peer network.

In step 1020, the network correlator 150, for the given time period,determines a first proportion of network traffic transceived over theprimary network that is also transceived between the first customernetwork and the first peer network.

In step 1025, the network correlator 150, for the given time period,determines a second proportion of network traffic transceived over theprimary network that is also transceived between the first customernetwork and the second peer network.

In step 1030, the network correlator 150 compares the first proportionof network traffic with the second proportion of network traffic. Forexample, the first proportion of network traffic can be comparedgraphically with the second proportion of network traffic in a graphicaluser interface (e.g., via pie charts, line graphs, etc.).

In step 1035, the network correlator 150, for the given time period,determines a third proportion of network traffic transceived over theprimary network that is also transceived between the first peer networkand the first customer network.

In step 1040, the network correlator 150, for the given time period,determines a fourth proportion of network traffic transceived over theprimary network that is also transceived between the first peer networkand a second customer network

In step 1045, the network correlator 150 compares the third proportionof network traffic with the fourth proportion of network traffic. Forexample, the third proportion of network traffic can be comparedgraphically with the fourth proportion of network traffic in a graphicaluser interface (e.g., via pie charts, line graphs, etc.).

In step 1050, the network correlator 150, for the given time period,determines a fifth proportion of network traffic transceived over theprimary network that is also transceived between the first customernetwork and the second customer network.

In step 1055, the network correlator 150, for the given time period,determines a sixth proportion of network traffic transceived over theprimary network that is also transceived between the first customernetwork and a third customer network.

In step 1060, the network correlator 150 compares the fifth proportionof network traffic with the sixth proportion of network traffic. Forexample, the fifth proportion of network traffic can be comparedgraphically with the sixth proportion of network traffic in a graphicaluser interface (e.g., via pie charts, line graphs, etc.).

FIG. 12 is a flow chart 1200 of processing steps that shows processingoperations performed by the network correlator 150 in accordance withone example embodiment.

In step 1205, the network correlator 150 collects a network traffic dataset by monitoring network traffic statistics between the primary networkand the plurality of secondary networks.

In step 1210, the network correlator 150 collects the network trafficdata set at a pre-configured sampling rate, wherein a sampled portion ofthe network traffic data set represents statistics of a communicationbetween two network interfaces in accordance with a given networkprotocol during a given sampling time period, and wherein at least onenetwork interface is in the primary network.

In step 1215, the network correlator 150 determines a mapping of networkconnectivity.

In step 1220, the network correlator 150 monitors egress interfaces ofthe primary network using Border Gateway Protocol (BGP) to procureAutonomous System Numbers (ASNs) associated with the plurality ofsecondary networks.

In step 1225, the network correlator 150 renders a graphical display(e.g., in a graphical user interface) of the relational network mappingbetween the primary network and the plurality of secondary networks, thegraphical display including a first graphical region indicating a totalamount of network traffic transceived over the primary network for thegiven time period.

In step 1230, the network correlator 150 configures the graphicaldisplay to further include a second graphical region indicating aproportion of the total amount of network traffic transceived over theprimary network that is also transceived between at least one customernetwork and at least one peer network for the given time period.

According to another example embodiment, the network correlator 150renders a graphical display (e.g., in a graphical user interface) of therelational network mapping 190 between the primary network and theplurality of secondary networks. In this manner, the graphical displayincludes a first graphical region indicating an amount of networktraffic transceived between the primary network and a first customernetwork for a given time period. Note that the graphical display canfurther include a second graphical region indicating an amount ofnetwork traffic transceived over the primary network that is alsotransceived between the first customer network and a first peer networkfor the given time period.

Further yet, the graphical display can include a third graphical regionindicating an amount of network traffic transceived over the primarynetwork that is also transceived between the first customer network anda second customer network for the given time period. Similarly, thegraphical display can additionally include a third graphical regionindicating an amount of network traffic transceived over the primarynetwork that is also transceived between the first customer network anda second peer network for the given time period.

It should be noted that the graphical display can include multiplegraphical regions depending on how many customer and peer networks withwhich a selected secondary network transceives data.

In another example embodiment, the network correlator 150 renders agraphical display (e.g., in a graphical user interface) of therelational network mapping 190 between the primary network and theplurality of secondary networks. In this manner, the graphical displaycan include a first graphical region indicating an amount of networktraffic transceived between the primary network and a first peer networkfor the given time period. The graphical display can further include asecond graphical region indicating an amount of network traffictransceived over the primary network that is also transceived betweenthe first peer network and a first customer network for the given timeperiod. In such an embodiment, the graphical display can further yetinclude a third graphical region indicating an amount of network traffictransceived over the primary network that is also transceived betweenthe first peer network and a second customer network for the given timeperiod.

Again, the graphical display can include multiple graphical regionsdepending on how many customer and peer networks with which a selectedsecondary network transceives data.

FIGS. 13 and 14 are flow charts 1300-1 and 1300-2, respectively,depicting processing steps that show processing operations performed bythe network correlator 150 in accordance with one example embodiment.

In step 1305, the network correlator 150 provides a graphical userinterface that enables the relational network mapping 190 to beselectively configured in accordance with a set of configurableparameters.

In step 1310, the network correlator 150 displays the relational networkmapping 190 in the graphical user interface in accordance with the setof configurable parameters. The set of configurable parameters caninclude, but are not limited to, a region parameter (e.g., UnitedStates, Europe, West Coast, etc.), a traffic type parameter (e.g.,on-net, off-net, etc.), a transmission parameter (e.g., backbone,long-haul, local, etc.), or any other parameter suitable for providinganalysis of network traffic behavior.

In step 1315, the network correlator 150 adapts the set of configurableparameters to include a region parameter associated with one or moregeographic regions of the primary network. Given a first region and asecond region of the primary network, the network correlator 150performs step 1320 and/or step 1325 described below.

In step 1320, if the region parameter is configured for the firstregion, the network correlator 150 displays the relational networkmapping in accordance with the first region in the graphical userinterface.

In step 1325, if the region parameter is configured for the secondregion, the network correlator 150 displays the relational networkmapping in accordance with the second region in the graphical userinterface.

In step 1330, the network correlator 150 adapts the set of configurableparameters to include a traffic type parameter associated with one ormore traffic types that can be transceived over the primary network.Given an on-net traffic type and an off-net traffic type of the primarynetwork, the network correlator 150 performs step 1335 and/or step 1340described below.

In step 1335, if the traffic type parameter is configured for the on-nettraffic type, the network correlator 150 displays the relational networkmapping in accordance with the on-net traffic type in the graphical userinterface, wherein the on-net traffic type indicates network trafficthat is transceived, at least in part, between the primary network andat least one customer network of the primary network.

In step 1340, if the traffic type parameter is configured for theoff-net traffic type, the network correlator 150 displays the relationalnetwork mapping in accordance with the off-net traffic type in thegraphical user interface, wherein the off-net traffic type indicatesnetwork traffic that is transceived, at least in part, between theprimary network and at least one peer network of the primary network.

In step 1345, the network correlator 150 adapts the set of configurableparameters to include a transmission parameter associated with one ormore transmission distances of the primary network. Given a firsttransmission distance and a second transmission distance of the primarynetwork, the network correlator 150 performs step 950 and/or step 955described below.

In step 1350, if the transmission parameter is configured for the firsttransmission distance, the network correlator 150 displays therelational network mapping in accordance with the first transmissiondistance in the graphical user interface.

In step 1355, if the region parameter is configured for the secondtransmission distance, the network correlator 150 displays therelational network mapping in accordance with the second transmissiondistance in the graphical user interface.

In accordance with an example embodiment, the network correlator 150displays the relational network mapping by enabling the graphical userinterface to be configured according to a region parameter, a traffictype parameter, and a transmission parameter. For example, the regionparameter can be selectively configurable to a first and a second regionassociated with the primary network.

Similarly, the traffic type parameter can be selectively configurable toan on-net traffic type and an off-net traffic type. In this manner, theon-net traffic type is associated with network traffic transceivedbetween the primary network and at least one customer network, while theoff-net traffic type is associated with network traffic transceivedbetween the primary network and at least one peer network.

In another example embodiment, the transmission parameter is selectivelyconfigurable to a local transmission distance and a backbonetransmission distance.

Although the present invention has been described with reference tovarious embodiments, it will be understood that the invention is notlimited to the details thereof. Various modifications and substitutionswill occur to those of ordinary skill in the art. All such substitutionsare intended to be embraced within the scope of the invention as definedin the appended claims.

What is claimed is:
 1. A system comprising: a primary network; aplurality of secondary networks in communication with the primarynetwork, wherein the secondary networks comprise at least one customernetwork of the primary network and at least one peer network of theprimary network; a network flow module configured to generate a networktraffic data set by monitoring network traffic between the primarynetwork and the plurality of secondary networks; a network connectivitymodule configured to determine a mapping of network connectivity bymonitoring inter-network routing information between the primary networkand the plurality of secondary networks; a network correlator moduleconfigured to calculate a relational network mapping between the primarynetwork and the plurality of secondary networks by correlating thenetwork traffic data set and the mapping of network connectivity; and agraphical user interface operable to enable the relational networkmapping to be selectively configured in accordance with a set ofconfigurable parameters; wherein the network correlator module isconfigured to display the relational network mapping in the graphicaluser interface in accordance with the set of configurable parameters;wherein the network correlator module is configured to enable thegraphical user interface to be configured according to a regionparameter, a traffic type parameter, and a transmission parameter;wherein the region parameter is selectively configurable to a firstregion associated with the primary network and a second regionassociated with the primary network; wherein the traffic type parameteris selectively configurable to an on-net traffic type and an off-nettraffic type, the on-net traffic type associated with network traffictransceived between the primary network and the at least one customernetwork, and the off-net traffic type associated with network traffictransceived between the primary network and the at least one peernetwork; and wherein the transmission parameter is selectivelyconfigurable to a local transmission distance and a backbonetransmission distance.
 2. A system as recited in claim 1, wherein thenetwork flow module is further configured to perform at least one of thesteps of: identifying on-net traffic of the primary network bydetermining which network traffic is transceived between the primarynetwork and the at least one customer network; and identifying off-nettraffic of the primary network by determining which network traffic istransceived between the primary network and the at least one peernetwork.
 3. A system as recited in claim 2, wherein the network flowmodule is further configured to: collect network traffic data inaccordance with a sampling rate; and identify on-net or off-net trafficof the primary network by determining, for each sampled transmission ofnetwork traffic, at least one of an originating Autonomous System Number(ASN), a destination ASN, an ingress AS, and an egress ASN.
 4. A systemas recited in claim 1 further comprising: a traffic measurement moduleconfigured to generate a traffic measurement data set by monitoringnetwork utilization statistics between the primary network and theplurality of secondary networks; and wherein the network correlatormodule is configured to calculate a relational network mapping bycorrelating the network traffic data set, the mapping of networkconnectivity, and the traffic measurement data set.
 5. A system asrecited in claim 4, wherein the traffic measurement module is configuredto perform at least one of the steps of: aggregating sampled trafficdata from a plurality of Simple Network Management Protocol (SNMP)counters to determine an amount of network traffic that is transceivedbetween the primary network and the at least one customer network; andaggregating sampled traffic data from a plurality of Simple NetworkManagement Protocol (SNMP) counters to determine an amount of networktraffic that is transceived between the primary network and the at leastone peer network.
 6. A system as recited in claim 1, wherein the networkconnectivity module is configured to perform at least one of the stepsof: determining connectivity relationships between edge interfaces inthe primary network and edge interfaces in the at least one customernetwork; and determining connectivity relationships between edgeinterfaces in the primary network and edge interfaces in the at leastone peer network.
 7. A system as recited in claim 6, wherein the networkconnectivity module is further configured to monitor egress interfacesof the primary network using Border Gateway Protocol (BGP) to obtainAutonomous System Numbers (ASNs) associated with the plurality ofsecondary networks.
 8. A system as recited in claim 1, wherein thenetwork correlator module is configured to perform the steps of:determining an amount of network traffic transceived between the primarynetwork and the at least one customer network during a given timeperiod; for the given time period, determining an amount of networktraffic transceived between the primary network and the at least onepeer network.
 9. A system as recited in claim 1, wherein the at leastone customer network of the primary network comprises a first customernetwork, and the at least one peer network of the primary networkcomprises a first peer network and a second peer network, the networkcorrelator module further configured to: for a given time period,determine a first proportion of network traffic transceived over theprimary network that is also transceived between the first customernetwork and the first peer network; for the given time period, determinea second proportion of network traffic transceived over the primarynetwork that is also transceived between the first customer network andthe second peer network; and compare the first proportion of networktraffic with the second proportion of network traffic.
 10. A system asrecited in claim 1, wherein the at least one customer network of theprimary network comprises a first customer network and a second customernetwork, and the at least one peer network of the primary networkcomprises a first peer network, the network correlator module furtherconfigured to: for a given time period, determine a first proportion ofnetwork traffic transceived over the primary network that is alsotransceived between the first peer network and the first customernetwork; for the given time period, determine a second proportion ofnetwork traffic transceived over the primary network that is alsotransceived between the first peer network and the second customernetwork; and compare the first proportion of network traffic with thesecond proportion of network traffic.
 11. A system as recited in claim1, wherein the at least one customer network of the primary networkcomprises a first customer network, a second customer network, and athird customer network, the network correlator module further configuredto: for a given time period, determine a first proportion of networktraffic transceived over the primary network that is also transceivedbetween the first customer network and the second customer network; forthe given time period, determine a second proportion of network traffictransceived over the primary network that is also transceived betweenthe first customer network and the third customer network; and comparethe first proportion of network traffic with the second proportion ofnetwork traffic.
 12. A system as recited in claim 1, wherein the networkcorrelator module is further configured to render, in the graphical userinterface, a graphical display of the relational network mapping betweenthe primary network and the plurality of secondary networks, thegraphical display comprising a first graphical region indicating a totalamount of network traffic transceived over the primary network for agiven time period; and wherein the graphical display further comprises asecond graphical region indicating a proportion of the total amount ofnetwork traffic transceived over the primary network that is alsotransceived between the at least one customer network and the at leastone peer network for the given time period.
 13. A system as recited inclaim 1, wherein the network correlator module is further configured torender, in the graphical user interface, a graphical display of therelational network mapping between the primary network and the pluralityof secondary networks, the graphical display comprising a firstgraphical region indicating an amount of network traffic transceivedbetween the primary network and a first customer network for a giventime period; and wherein the graphical display further comprising asecond graphical region indicating an amount of network traffictransceived over the primary network that is also transceived betweenthe first customer network and a first peer network for the given timeperiod.
 14. A system as recited in claim 13, wherein the graphicaldisplay further comprises a third graphical region indicating an amountof network traffic transceived over the primary network that is alsotransceived between the first customer network and a second customernetwork for the given time period.
 15. A system as recited in claim 13,wherein the graphical display further comprises a third graphical regionindicating an amount of network traffic transceived over the primarynetwork that is also transceived between the first customer network anda second peer network for the given time period.
 16. A system as recitedin claim 1, wherein the network correlator module is further configuredto render, in the graphical user interface, a graphical display of therelational network mapping between the primary network and the pluralityof secondary networks, the graphical display comprising a firstgraphical region indicating an amount of network traffic transceivedbetween the primary network and a first peer network for the given timeperiod; and wherein the graphical display further comprises a secondgraphical region indicating an amount of network traffic transceivedover the primary network that is also transceived between the first peernetwork and a first customer network for the given time period.
 17. Asystem as recited in claim 16, wherein the graphical display furthercomprises a third graphical region indicating an amount of networktraffic transceived over the primary network that is also transceivedbetween the first peer network and a second customer network for thegiven time period.
 18. A system as recited in claim 1, wherein thenetwork flow module is configured to collect the network traffic dataset at a pre-configured sampling rate, wherein a sampled portion of thenetwork traffic data set represents statistics of a communicationbetween two network interfaces in accordance with a given networkprotocol during a given sampling time period, and wherein at least onenetwork interface is in the primary network.
 19. A system as recited inclaim 1, wherein the network correlator module is configured to performthe steps of: if the region parameter is configured for the firstregion, displaying the relational network mapping in accordance with thefirst region in the graphical user interface; and if the regionparameter is configured for the second region, displaying the relationalnetwork mapping in accordance with the second region in the graphicaluser interface.
 20. A system as recited in claim 1, wherein the networkcorrelator module is configured to perform the steps of: if the traffictype parameter is configured for the on-net traffic type, displaying therelational network mapping in accordance with the on-net traffic type inthe graphical user interface, wherein the on-net traffic type indicatesnetwork traffic that is transceived, at least in part, between theprimary network and the at least one customer network of the primarynetwork; and if the traffic type parameter is configured for the off-nettraffic type, displaying the relational network mapping in accordancewith the off-net traffic type in the graphical user interface, whereinthe off-net traffic type indicates network traffic that is transceived,at least in part, between the primary network and the at least one peernetwork of the primary network.
 21. A system as recited in claim 1,wherein the transmission parameter is associated with one or moretransmission distances of the primary network, the system furthercomprising: a first transmission distance and a second transmissiondistance of the primary network, wherein the network correlator moduleis configured to perform the steps of: if the transmission parameter isconfigured for the first transmission distance, displaying therelational network mapping in accordance with the first transmissiondistance in the graphical user interface; and if the region parameter isconfigured for the second transmission distance, displaying therelational network mapping in accordance with the second transmissiondistance in the graphical user interface.
 22. A system as recited inclaim 1 further comprising: a network flow control server operable toimplement the network flow module for receiving and processing networktraffic data from network interfaces in the primary network.